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Script started on Sat Aug 9 15:42:00 2003 
[root@)ocalhost interrogator]^ ./'inierrogoior 

Where would you tike the results stored? [/tmp/lnterrogator/] 
Check for hidden processes? [Y] 
Check for hidden TCP port listeners? [Y] 
Check for system call patching? [Y] 
Check for hidden kernel modufes? [y] 

Check for hidden files? (may take > 15 minutes) [N] Y 
Running the Interrogator— this may toke a minute 
Results are located at /tmp/interrogotor/summary 
View results now? [Y] 

[ SUMMARY ] 

NO hidden modules were found. 
NO system call table modifications were found. 
NO hidden processes were found, 
WARNING: File size is 60133 (should be 58885): /var/tog/sa/sa09 
WARNING: File size is 1010871 (should be 1010003) : /var/log/cron 
WARNING: File size is 597700 (should be 597264): /var/log/maillog 
NO hidden files were found. 
NO hidden TCP port listeners were found. 
[root®locathost interrogator)]}^ exit 
Script done on Sat Aug 9 16:01:52 2003 

Fig. 20a 




(root@locathost interrogator]^ ./'"te'''"og°^0'' 

Where would you like the results stored? [/tmp/interrogator/] 
Check for hidden processes? [Y] 
Check for hidden TCP port listeners? [Y] 
Check for system call patching? [Y] 
Check for hidden kernel modules? [Y] 

Check for hidden files? (may take > 15 minutes) [N] Y 
Running the interrogotor— this may toke a minute 
Results ore located at /tmp/interrogator /summary 
View results now? [Y] 

[ SUMMARY ] 

NO hidden modules were found. 
NO system coll table modifications were found 

WARNING: process Id 13745 hidden or just exited (tb) 
Launch Poth: /root/code/interrogator/de • rojansons/tb 
FOUND 1 Hidden process listing 

HIDDEN file found: /tmp/hideme 
WARNING: File size is 62629 (should be 61381): /var/log/sa/so09 
WARNING:. File size is 1013693 (should be 1012816): /var/log/cron 
WARMING: File size is 599450 (should be 599012): /var/log/maillog 

HIDDEN TCP Port Listener found: port 2222 
(root@>localhost interrogator]^ exit 
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(rootOlocolhost interrogotor})? ./'nterrogotor 

Where would you like the results stored? C/tmp/int«rrogolor/] 

Check for hidden processes? [Y] 

Check for hidden TCP port listeners? [Y] 

Check for system coll patching? [Y] 

Check for hidden kernel nnodutes? [Y] 

Check for hidden flies? (nnoy take •> 15 minutes) [N) Y 
Running the interrogator. . . this may take a minute 
Results ore located ot /tmp/interrogotor/summary 
VtBw results now? [Y) 

[ SUMMARY ] 

WARNING suspect module found: fSaOfOOO 8000 bytes (adore) 
Imoge stored at /tmp/interroga tor /adore, o 
FOUND 1 HIDDEN module loaded 

WARNING: Deviations found In the sys_call_table 
syscoll[23 
syscollf^l 
syscall[5] 
syscan[6] 
syscan[l8] 
syscoll(37] 
syscoll[39] 
syscan[84] 
syscall[106] 
syscoll[l07 
syscon[120 
syscall[14i; 
syscaM[195 
syscallflQS" 
syscan[220 I 
Suspect mod 

FOUND 15 ModiHed syscalf toble functions 
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WARNING: Found process Id 836 removed from the tosk_queue. 
Launch Path: /root/codc/lnterrogotor/demo/tro Jans/test 
WARNING: process Id 13745 hidden or just exited (tb) 
Launch Path: /root/code/lnterrogotor/demo/trojans/tb 
FOUND 2 Hidden process listings 

HIDDEN Rle found: /mp/hldeme 

WARNING: File size is 2336990 (should be 2335392): /vor/log/messages 



HIDDEN TCP Port Listener found: port ill 

HIDDEN TCP Port Listener found: port 139 

HIDDEN TCP Port Ustener found: port 2222 

HIDDEN TCP Port Ustener found: port 6O00 

HIDDEN TCP Pork Ustener found: port 32768 

HIDDEN TCP Port Ustener found: port 32769 

[rootOocothost interrogator]^ exit 
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[rootOlocolhost interrogator]^ ./'nterrogolor 

Where would you like the results stored? [/tmp /Interrogator/) 

Check for hidden processes? [Y] 

Check for hidden TCP port listeners? [Y] 

Check for system calf patching? [Y] 

Check for hidden kernel modules? [Y] 

Check for hidden files? (may take > 15 minutes) [N] Y 
Running the interrogator... this moy loke a minute 
Results ore locoted at /tmp/tnterrogotor/summory 
View results now? [Y] 

[ SUMMARY ] 

WARNING suspect module found: fSalOOOO 184700 bytes (homegrown) 
FOUND 1 HIDDEN module loaded 

WARNING: Deviations found in the sys_call_tabte 

syscall[3] FAILED Oxr8all494 read 

syscoH[51 FAILED Oxf8ott020 open 

syscall[ll] FAILED Oxf8otOebc execve 

syscol![l33 FAILED Oxf8alI8oO time 

3yscall[78] FAILED Oxf8oH83c gettiineofdoy 

syscall[141] FAILED Oxr8all544 getdents 

syscall[220] FAILED Oxf8aH6cO getdents64 

Suspect module locoted (Oxf89db6d8 - Oxf8o3fOOO) 
FOUND 7 Modified syscoll table functions 

WARNING: process id 1584 hidden or just exited (tb) 
Lounch Path: /root/code/interrogator /demo/trojons/tb 
FOUND 1 Hidden process listing 

HIDDEN File found: /tmp/hideme 

WARNING: File size Is 1021523 (should be 1020648): /vor/Iog/cron 
WARNING: File size Is 603820 (should be 603384): /vor/log/moitlog 

HIDDEN TCP Port Ustener found: port 2222 
[rootOiocathost interrogator]^ exit 
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SSH_AGENT_PID=4 606 

HOSTNAME=st ring-1 . internal . vlan . iwc . sytexinc . com 

PVM_RSH=/usr/bin/rsh 

SHELL=/bin/bash 

TERM-xterm 

HISTSIZE=1000 

GTK_RC_FILES=/etc/gtc/gtkc: /root//gtkrc-1.2-gnome2 

WINDOWID=27270368QTDIR=/usr/lib/qt-3 . 1 
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LS_COLORS= 

PVM_ROOT= / u s r / s h a r e / p vm 3 

SSH_AUTH__SOCK=/tmp/sh=XX3Bs0yB/agent , 4 542 

SESSION_MANAGER=local/sring-l . internal , vlan . iwc. sytexinc - com: /tmp/ . ICE- 

unix/4542 

USERNAME=root 

MAIL=/var/ spool /mail /root 

PATH=/usr/kerberos/sbin : /usr/kerberos/bin : /usr/local/sbin : /usr/local/bin : /sbin 
: /bin : /usr/sbin: /usr/bin: /usr/XllR6/bin : /root/bin : usr/local/netscape 
INPUTRC=/etc/inputrc 
PWD=/root 

XMODI FIERS=0 im-none 
LANG=en_US . UTF- 8 

LAMHELPFILE=/etc/lam/lam-helpfile 

GDMSESSION=Default 

SH_ASKPASS~/usr/libexec/ openssh/gnome-ssh-askpass 
HOME-/ root 
SHLVL=2X 

PVM_ROOT= / u s r / sha r e /pvm3 / xp vm 
GNOME_DESKTOP_SESSION_ID=Default 
BASH_ENV=/root/ .bashrc 
LOGNAME=root 

LESSOPEN= I /usr /bin/lesspipe . sh %s 
DISPLAY=:O.OG_ 
BR0KEN_FILENAMES=1 
COLORTERM=gnome - 1 e rmi na 1 

XAUTHORITY=/root / . Xauthority_=/usr/bin/ssh 
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.360 

Script started on Sun Jan 11 10:18:52 2004 /Z/^ 

(rooteiocal -host recovery) # ./recovery 

Terminate hidden processes? [Y] ^ 

Recover system call table? [Y] 

Remove hidden files [N] Y 

Results are located at /tmp/interrogator/suramary 
View results now? [YJ. 

[ SUMMARY ] 

NO system call table modifications were found 
NO hidden proceses were found 
( rootGlocal . host recovery) # exit 
Script done on Sun Jan 11 10:19:03 2004 
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Script started on Sun Jan 11 10:31:02 2004 
(rootGlocal . host adore) # ,/startadore 

Warning: loading cleaner. o will taint the kernel: no license 

See http://www.tux.0rg/lkml/#export-tainted for information about tainted 

modules 

Module cleaner loaded, with warnings 

(root@localhost adore) # /tmp/test 

(root@localhost adore) f ps -ef I grep test 

root 1302 1276 0 10:35 pts/3 00:00:00 /tmp/test 

root 1304 1043 0 10:35 pts/1 00:00:00 grep test 

(rootQlocalhost adore) # . /ava i 1302 
Checking for adore 0.12 or higher ... 
Adore 0.4 2 installed. Good luck. 
Made FID 1302 invisible. 

(root@localhost adore) # ./ava h /tmp/test 
Checking £or adore 0.12 or higher ... 
Adore 0.42 installed. Good luck. 
File '/tmp/test' hided. 

(root^localhost adore) # Is /tmp 
ssh-XXAbSIW 
ssh-XXEZXD3 

(rootQlocalhost adore) # ps -ef I grep test 
(rooteiocalhost adore) # exit 
Script done on Sun Jan 11 10:35:40 2004 
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Script Started on Sun Jan 11 10:52:37 2004 
(root@local . host recovery) # ./recovery yi 
Terminate hidden processes? [Y] .^'''^ 
Recover system call table? [Y] 
Remove hidden files [N]. Y 

Results are located at /tmp/interrogator/summary 
View results now? [Y] 

[ SUMMARY ] 

WARNING: process id 1302 hidden or just exited (test) 

Launch Path: /tmp/test 

TERMINATED 1 Hidden process listing 

(root@local . host recovery) # exit 

Script done on Sun Jan 11 10:54:26 2004 
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Script started on Sun Jan 11 10:35:21 2004 
(root@local .host recovery) # /tmp/test 
Running 1 
Running 2 

Running 3 X^\,.^.y^ 

Running 4 >^ 

Running 5 

Running 6 

Running 7 

Hangup 

Script done on Sun Jan 11 10:55:12 2004 
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Script Started on Sun Jan 11 10:57:09 2004 
[root@localhost recovery]* Is /tmp 
ssh-XXAbS7W 
ssh-XXB2XD3 

[root@localhost recovery]* sum /tmp/test 
03965 12 

[root@localhost recovery]* ./recover 
Terminate hidden processes? [Y] N 
Recover system call table? [Y] N 
Delete hidden files? [N] Y 
Results are located at /tmp/interrogator/summary 
View results now? [Y] 

[ SUMMARY ] 

REMOVED /tmp/test 

(root@localhost recovery]* Is /tmp 

ssh-XXAbs7W 

ssh-XXEZXD3 

{ root@localhost recovery]* sum /tmp/test 
sum: /tmp/test: No such file or directory 

root@localhost recovery]* exit 

Script done on Sun Jan 11 10:57:47 2004 
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Script Started on Sun Jan 11 10:57:57 2004 
[root@localhost recovery] # ./recover 
Terminate hidden processes? [Y] N 
Recover system call table? [Y] 
Delete hidden files? [N] N 

Results are located at /tmp/interrogator/summary 



View results now? [Y] 



[ SUMMARY ] 



WARNING suspect module found: d09cb000 7968 bytes (adore) 
FOUND 1 HIDDEN module loaded 



WARNING: Deviations 
syscall[2] FAILED 
syscall[4] FAILED 
syscall[5] FAILED 
syscall[6] FAILED 
syscall[18] FAILED 
syscallt37] FAILED 
syscall[39] FAILED 
syscall[84] FAILED 
syscall[106] FAILED 
syscall [107] FAILED 
syscall [120] FAILED 
syscall [141] FAILED 
syscall [195] FAILED 
syscall [196] FAILED 
syscall [220] FAILED 
RECOVERED 15 Modified syscall table functions 

[rootSlocalhost recovery] # ./recover 
Terminate hidden processes? [Y] N 
Recover system call table? [Y] 
Delete hidden files? [N] N 

Results are located at /tmp/interrogator/summary 
View results now? [Y] 

.-J. [ SUMMARY ] 

NO system call table modifications were found. 
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Script started on Sun Jan 11 11:31:47 2004 

(rooteiocalhost adore] # ps -ef Igrep test 

root 1284 1258 0 ll:31'pts/l 00:00:00 /tmp/test 

[rooteiocalhost adore] # is /tmp 

ssh-XXAbS7W 

ssh-XXEZXD3 

test 

[rootQlocalhost adore) # ./startadore 

Warning: loading cleaner .o will taint the Jcernel: no license 

See http://www.tux.0rg/llanl/#export-tainted for information about tainted 

modules 

Module cleaner loaded, with warnings 

[rooteiocalhost adore] # - /ava i 1284 
Checking for adore 0.12 or higher ... 
Adore 0.42 installed. Good luck. 
Made PID 1284 invisible. 

[rooteiocalhost adore] # , /ava h /tmp/test 
Checking for adore 0.12 or higher ... 
Adore 0.42 installed. Good luck. 
File • /tmp/test' hided. 



{root@localhost adore] # ps -ef Igrep test 
(root@localhost adore] # Is /tmp 
ssh-XXAbS7W 
ssh-XXEZXD3 

[rooteiocalhost adore]# cd ../interrogator/recovery 
[root@localhost recovery] # , /recover 
Terminate hidden processes? [Y] N 
Recover system call table? [Y] Y 
Delete hidden files? [N] N 

Results are located at /tmp/interrogator/summary 
View results now? [Y] 

[ SUMMARY ] 

WARNING suspect module found: d09cb000 7968 bytes (adore) 
FOUND 1 HIDDEN module loaded 
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WARNING: Deviations found in the sys 



syscall [2] 
syscall [4 ] 
syscall [5] 
syscall [6] 
syscall [18] 
syscall [37] 
syscall [393 
syscall [84] 
syscall [106] 
syscall [107] 
syscall [120] 
syscall [141] 
syscall [195] 
syscall [196] 
syscall [220] 
RECOVERED 15 



FAILED 
FAILED 
FAILED 
FAILED 
FAILED 
FAILED 
FAILED 
FAILED 
FAILED 
FAILED 
FAILED 
FAILED 
FAILED 
FAIJiED 
FAILED 
Modified s 



Oxd09cb650 
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Oxd09ccl84 
Oxd09cb898 
Oxd09cbbe4 
Oxd09cb710 
Oxd09cb9a0 
Oxd09cbcd0 
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Oxd09cbe94 
Oxd09cb6b0 
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fork 

write 

open 

close 

Stat 

kill 
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stat64 
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functions 



[rooteiocalhost recovery]* ps -ef Igrep test 

root 1284 1258 0 11:31 pts/1 00:00:00 /tmp/test 

root 1345 1288 0 11:33 pts/2 00:00:00 grep test 



[rootOlocalhost recovery]* Is /tmp 

ssh-XXAbS7W 

ssh-XXS2XD3 

test 

(rootlilocalhost recovery]* exit 

Script done on Sun Jan 11 11:33:21 2004 
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